Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted imagemagick 8:7.1.2.16+dfsg1-1 (source) into unstable
Date: Tue, 10 Mar 2026 22:49:47 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Mar 2026 21:35:45 +0100
Source: imagemagick
Architecture: source
Version: 8:7.1.2.16+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
 imagemagick (8:7.1.2.16+dfsg1-1) unstable; urgency=high
 .
   * New upstream version
   * Drop patch about double free in SVG applied upstream
   * Fix CVE-2026-28493:
     An integer overflow vulnerability exists in the SIXEL decoer.
     The vulnerability allows an attacker to perform an out of bounds
     via a specially crafted image.
   * Fix CVE-2026-28494:
     A stack buffer overflow exists in ImageMagick's morphology kernel
     parsing functions. User-controlled kernel strings exceeding a buffer
     are copied into fixed-size stack buffers via memcpy without bounds
     checking, resulting in stack corruption.
   * Fix CVE-2026-28686:
     A heap-buffer-overflow vulnerability exists in the PCL
     encode due to an undersized output buffer allocation.
   * Fix CVE-2026-28687:
     a heap use-after-free vulnerability in ImageMagick's
     MSL decoder allows an attacker to trigger access to freed memory
     by crafting an MSL file.
   * Fix CVE-2026-28688:
     A heap-use-after-free vulnerability exists in the MSL encoder,
     where a cloned image is destroyed twice. The MSL coder does
     not support writing MSL so the write capability has been removed
   * Fix CVE-2026-28689:
     Domain="path" authorization is checked before final file open/use.
     A symlink swap between check-time and use-time bypasses policy-denied
     read/write
   * Fix CVE-2026-28690:
     A stack buffer overflow vulnerability exists in the MNG encoder.
     There is a bounds checks missing that could corrupting the stack
     with attacker-controlled data.
   * Fix CVE-2026-28691:
     An uninitialized pointer dereference vulnerability exists in the
     JBIG decoder due to a missing check.
   * Fix CVE-2026-28692:
     MAT decoder uses 32-bit arithmetic due to incorrect parenthesization
     resulting in a heap over-read.
   * Fix CVE-2026-28693:
     An integer overflow in DIB coder can result in out of bounds read
     or write
   * Fix CVE-2026-30883:
     An extremely large image profile could result in a heap overflow
     when encoding a PNG image
   * Fix CVE-2026-30929:
     MagnifyImage uses a fixed-size stack buffer. When using a specific image
     it is possible to overflow this buffer and corrupt the stack
   * Fix CVE-2026-30931:
     A heap-based buffer overflow in the UHDR encoder can happen due to
     truncation of a value and it would allow an out of bounds write.
   * Fix CVE-2026-30935:
     BilateralBlurImage contains a heap buffer over-read caused by an incorrect
     conversion. When processing a crafted image with the -bilateral-blur
     operation an out of bounds read can occur.
   * Fix CVE-2026-30936:
     A crafted image could cause an out of bounds heap write inside
     the WaveletDenoiseImage method. When processing a crafted image
     with the -wavelet-denoise operation an out of bounds write can occur.
   * Fix CVE-2026-30937:
     A 32-bit unsigned integer overflow in the XWD (X Windows) encoder can
     cause an undersized heap buffer allocation. When writing a extremely
     large image an out of bounds heap write can occur.
Checksums-Sha1:
 84c1b0db1a714396c2fff39338b1ab500eaaa669 5202 imagemagick_7.1.2.16+dfsg1-1.dsc
 94f435d42823fbf67e5911f96f24403cbe958202 10533428 imagemagick_7.1.2.16+dfsg1.orig.tar.xz
 743b9b5c56e9723e90d1370fde5b982645db2547 271764 imagemagick_7.1.2.16+dfsg1-1.debian.tar.xz
 488880a50b726c4b34065e569cfaeda0d38917e5 8601 imagemagick_7.1.2.16+dfsg1-1_source.buildinfo
Checksums-Sha256:
 5412e2a5ad19125740ccc8fde38194855587f2c5a24b68ffa2a81a25b1d01316 5202 imagemagick_7.1.2.16+dfsg1-1.dsc
 719f8f07ff219eebe71bf6d06bef4bf7f79e51930d5cf9d27a095ea76b9862ac 10533428 imagemagick_7.1.2.16+dfsg1.orig.tar.xz
 ac6c4e6c488921f6dfe22076e298bfe9c065ae57643669a37927ebdb1f3e6903 271764 imagemagick_7.1.2.16+dfsg1-1.debian.tar.xz
 c72b064521ba46315a13ef6dae2bed364a64ed0f10b1e0bed805195cef4cb538 8601 imagemagick_7.1.2.16+dfsg1-1_source.buildinfo
Files:
 01740811d1c11fcf4b24e4f4bf715829 5202 graphics optional imagemagick_7.1.2.16+dfsg1-1.dsc
 bd3309c4027cf13f0b899261b6aa3ad8 10533428 graphics optional imagemagick_7.1.2.16+dfsg1.orig.tar.xz
 39d82cd63b76f3ced219f27b17d0a7bb 271764 graphics optional imagemagick_7.1.2.16+dfsg1-1.debian.tar.xz
 d833b95f1133d81911e9624c556a77f4 8601 graphics optional imagemagick_7.1.2.16+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJpsJxYCRAAOhotqkEIX0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmelx7z2K8u1jnqZnV5Opcj6v2ZOCns0hk3kVSD/XTtw
/hYhBF0Bh7lAokW617D1agA6Gi2qQQhfAAAYWw//QLFNtuV5hZyDvZzyt9mP8LMB
PU+pN46cYi36ZeITswP1sLvbD3WzVcb2l8/HytS9Czag9y/sY1tf68tmaJVWllTN
l87FSBqVfGDg+QKvzdCQt8FCJA88a3mX3UcTyvSPeXn5Ba7TDEVTD2VoxPgEkh35
lWYcdjag3HiVEHuiBMx5TPOS5OZyiMFqPh9N+u6NC30mx0N/xLoP9Pkr1jVbrmKO
q6EXQIcRAza412USEigyeW+NYnckXU83rf8mNTjJS2Oxv7BhsPx1zdQEemBN+gjO
1NT0qo8SwjNHz1mTuqI/LTTtjGe70jvLIZ1rp7Saj5iVDFEDzYLVVc3I6CtXvL0X
uSpAZYeniKOTWYf6OD5NSvBcMcU75GIZ1LHNrs12EYR8GjzfMdE1bpv0MU+OG9IN
QuHgorolloZCrW6k6zcL3G6zjrmOPSxetowouaq9x7Y7rm2pxsC5SeBMV30C8pmN
7aE5ifHr8vZnq6vtOIfaXKDm2sYAbcNiGlK0iR6e5GptpbIsTZDorqdxnwfOMTSp
gKeJuqsjxty9daXs464WO7cZoL86Z5xeh1wxm+IWr/g5cR9miZmUxLjRFtMxBXN/
IcmYJbP2eovRM8jKmGif1JNjc2JDcGHtGd/lLtglmkma4fXTU9YKTXWmThL+517o
REuDb9x/qPf4hFc7MFw=
=MD8B
-----END PGP SIGNATURE-----
News for package imagemagick
